The BIMI draft includes a part about certification (for the logo being the logo of the brand, etc.), but this was the reason BIMI didn't took off. It did take off when Yahoo! Mail (now part of Verizon Media Group) decided that instead of relying on an open and standardized implementation, they'll just use what they already have: a system that matches a sending domain, a brand, a reputation, and a logo.
There's little chance spamming domains are in this table, with a logo, a brand, and a good reputation, so little chance that Yahoo! will display the logo provided in the BIMI record for it. I don't know how Gmail will do next year, but I guess they'll find something that works not too bad as well. Note: Amazon doesn't have a BIMI record, and yet Amazon's logo is displayed on Yahoo! Mail. That's because Amazon is already known in their internal system. I believe Ebay also is in this system for a long time, but they still added the BIMI record, probably so they could choose what logo to be displayed. -- Benjamin From: mailop <mailop-boun...@mailop.org> On Behalf Of Laura Atkins via mailop Sent: vendredi 6 décembre 2019 12:23 To: mailop <mailop@mailop.org> Subject: Re: [mailop] BIMI On 6 Dec 2019, at 10:42, Vytis Marciulionis via mailop <mailop@mailop.org<mailto:mailop@mailop.org>> wrote: Hi, I am not a part of the BIMI working group but, I think it is cool in it's own way. So I will try to add my 2 cents. - It is said to increase security for mailbox owners because seeing the companies logo they now they can see the message really is from "brand.com<http://brand.com/>". I still doubt this will work, because I could easily create a logo that looks similar to brand.com<http://brand.com/>, but use "brånd.com<http://xn--brnd-roa.com/>" including valid SPF/DKIM/DMARC which AFAIK are conditions that have to be meet in order to display a BIMI logo. For the time being the requirement is to have p=quarantine or p=reject on DMARC and a pass, also significant volume, engagement and reputation is necessary for BIMI to appear. Whereas it is indeed easy to authenticate your domains, spammers still don't do that due to them constantly switching domains and it being time-consuming. You have the amount of effort involved in correctly authenticating with DMARC backwards for spammers and real companies. It’s utterly trivial for a spammer to deploy DMARC authenticated email. They’ve been using disposable domains on disposable IPs for a long time. The process is automated to a very high degree and every spam message they send is fully DMARC aligned. The only change they need to make is to change their deployment scripts to publish one more DNS record. It’s trivial for a spammer to change domains and have those domains fully DMARC p=reject compliant. For real companies, they need to actually discover where all their mail is coming from and go through a process of making sure each of those message streams is authenticated. It can take months for even small senders with only a few mail pathways to implement DMARC. Needless to say, building a reputation with certain providers is also not something that spammers think of doing or, in most cases, are able to do. You’ve not actually ever talked to companies many here would call spammers, have you? Spammers think about reputation all the time and work very hard to try and build a good reputation. There have even been lawsuits detailing the behavior they go through to try and manipulate their reputation. Now, will spammers be able to take advantage of BIMI? That is currently unclear to me, but I’m sure they’re following the protocol development very closely and looking at how they can also have their mail display logos. laura -- Having an Email Crisis? We can help! 800 823-9674 Laura Atkins Word to the Wise la...@wordtothewise.com<mailto:la...@wordtothewise.com> (650) 437-0741 Email Delivery Blog: https://wordtothewise.com/blog
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
